Question 67 of 507
Network Intrusion AnalysishardMultiple SelectObjective-mapped

Quick Answer

The answer is adding specific destination IP addresses of legitimate SMB servers, along with creating rule exceptions for internal subnets and tuning threshold values. This is correct because tuning Snort signatures to reduce false positives requires distinguishing between benign and malicious traffic on the same port; by whitelisting known internal SMB servers, the rule ignores expected file-sharing activity and only alerts on anomalous external connections, directly addressing the high false positive rate. On the Cisco CyberOps Associate 200-201 exam, this concept tests your ability to apply signature tuning techniques like exceptions, thresholds, and IP whitelisting—a common trap is disabling the rule entirely instead of refining it, or confusing source and destination IPs. Remember the mnemonic “DET” for Destination IPs, Exceptions, and Thresholds to recall the three tuning factors that improve accuracy without sacrificing detection.

200-201 Network Intrusion Analysis Practice Question

This 200-201 practice question tests your understanding of network intrusion analysis. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

An analyst is investigating an alert triggered by a Snort rule that matches traffic on port 445 (SMB). The analyst sees that the signature has a high false positive rate. Which THREE factors should the analyst evaluate to tune the signature for better accuracy? (Choose three.)

Question 1hardmulti select
Read the full NAT/PAT explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Creating a rule exception for internal subnets that use SMB for file sharing.

Option C is correct because creating a rule exception for internal subnets that legitimately use SMB for file sharing reduces false positives by excluding known benign traffic. This allows the Snort rule to focus on external or anomalous SMB traffic on port 445, improving detection accuracy without disabling the rule entirely.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Implementing a behavioral analysis heuristic to detect anomalous SMB activity.

    Why it's wrong here

    Snort is signature-based; behavioral analysis is not a tuning method.

  • Disabling the rule to eliminate false positives.

    Why it's wrong here

    Disabling removes detection entirely, not a tuning approach.

  • Creating a rule exception for internal subnets that use SMB for file sharing.

    Why this is correct

    Exceptions for known benign traffic improve accuracy.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Adjusting the detection threshold to only alert when a certain number of SMB events occur within a time window.

    Why this is correct

    Threshold-based tuning can reduce false positives from low-rate legitimate traffic.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Adding specific destination IP addresses of legitimate SMB servers.

    Why this is correct

    Whitelisting known servers reduces false positives.

    Related concept

    Read the scenario before looking for a memorised answer.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the distinction between tuning an existing signature (e.g., adding exceptions or thresholds) versus implementing entirely new detection methods (e.g., behavioral analysis), which leads candidates to mistakenly select options that propose changing the detection approach rather than refining the rule.

Detailed technical explanation

How to think about this question

Snort rules use a combination of header fields (e.g., source/destination IP, port) and content matching to trigger alerts. Tuning often involves adding 'flow:to_server,established' to filter out non-initial packets, or using 'threshold' directives to limit alert frequency. In real-world environments, SMB traffic on port 445 is common for file sharing, so whitelisting trusted subnets via 'ipvar' or 'suppress' directives is a standard practice to reduce noise without losing visibility into malicious SMB exploits like EternalBlue.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 200-201 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 200-201 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 200-201 question test?

Network Intrusion Analysis — This question tests Network Intrusion Analysis — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Creating a rule exception for internal subnets that use SMB for file sharing. — Option C is correct because creating a rule exception for internal subnets that legitimately use SMB for file sharing reduces false positives by excluding known benign traffic. This allows the Snort rule to focus on external or anomalous SMB traffic on port 445, improving detection accuracy without disabling the rule entirely.

What should I do if I get this 200-201 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on 200-201

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. An IDS generates an alert for a signature that matches HTTP traffic containing 'cmd.exe' in the URI. The analyst checks the packet and sees the URI is actually 'cmd.exe?help'. What should the analyst do?

easy
  • A.Block the source IP
  • B.Tune the signature to reduce false positives
  • C.Disable the signature
  • D.Escalate to incident response

Why B: The IDS signature triggered on the presence of 'cmd.exe' in the URI, but the actual traffic was 'cmd.exe?help', which is a legitimate help request and not an exploitation attempt. Tuning the signature to account for the query string reduces false positives without losing detection capability for actual attacks. This aligns with best practices for IDS management, where signatures are adjusted to match real threat patterns rather than exact strings.

Last reviewed: Jun 25, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 200-201 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 200-201 exam.